Industrial control systems security needs more work

Federal agencies and industries that use industrial control systems must avoid applying standard information security measures to secure such systems, an engineering expert advised members of the federal Information Security and Privacy Advisory Board, which met Sept. 13.

Keith Stouffer, a mechanical engineer at the National Institute of Standards and Technology’s Intelligent Systems Division, said standard antivirus protection and encryption technologies applied to industrial control systems could shut them down and, in some cases, create a public safety hazard.

Industrial control systems are typically field devices known as programmable logic controllers. “They’re basically stripped down PCs,” Stouffer said. They can’t handle cryptographic functions, such as authentication and encryption, which makes them vulnerable, he added.

Newer industrial control systems are built with Microsoft Windows operating systems and IP protocols “because they’re cheaper and easier to use,” Stouffer said. But by replacing systems built with specialized proprietary software and protocols, government and commercial industries have made their industrial control systems vulnerable to cyberattacks.

“That transition happened without thinking about security,” Stouffer said. “Now we’re having to fix what we asked for.”

Work is under way to develop security configurations for industrial control systems, he added.

Stouffer said many industry executives are unaware of cybersecurity vulnerabilities in their factories and critical infrastructures. “A lot of the higher-ups don’t know they have modems connected to the Internet,” he said. Cyberattackers can use tools called war dialers to find modems connected to industrial control systems.

The nuclear industry is probably safer than most, added Bruce Brody, the Energy Department’s associate chief information officer of cybersecurity and a member of the security advisory board. The nuclear industry still relies on proprietary protocols, so the security threat is not as great, he said.

Featured

  • Contracting
    8 prototypes of the border walls as tweeted by CBP San Diego

    DHS contractors face protests – on the streets

    Tech companies are facing protests internally from workers and externally from activists about doing for government amid controversial policies like "zero tolerance" for illegal immigration.

  • Workforce
    By Mark Van Scyoc Royalty-free stock photo ID: 285175268

    At OPM, Weichert pushes direct hire, pay agent changes

    Margaret Weichert, now acting director of the Office of Personnel Management, is clearing agencies to make direct hires in IT, cyber and other tech fields and is changing pay for specialized occupations.

  • Cloud
    Shutterstock ID ID: 222190471 By wk1003mike

    IBM protests JEDI cloud deal

    As the deadline to submit bids on the Pentagon's $10 billion, 10-year warfighter cloud deal draws near, IBM announced a legal protest.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.